Security Watch

Semper Fee

Active military personnel had their accounts hacked at Pentagon Federal Credit Union in Alexandria, Va., according to a Jan. 17 story in The Washington Post.

The source of the leak was allegedly an unguarded laptop that had stored an undisclosed number of accounts. The hacking incident was discovered Dec. 12, according to the Post, but not reported to customers until January.

The New Hampshire Attorney General's Office, however, reported Social Security, debit card and credit card numbers of 514 residents had been hacked in the incident. New Hampshire requires companies to notify the state's Attorney General's Office when security breaches affecting its residents occur.

The credit union wrote to customers saying no passwords or user IDs had been stolen. It reissued all compromised credit and debit cards.

Security experts said it was likely that customers in every state were impacted, and the attack raised larger concerns, such as that hackers may have breached customers who have access to critical Pentagon information. They also said attacks against credit unions are on the rise because they have smaller budgets to deal with security issues than big banks.

The story cites security experts as saying that the full extent of the security breach may not be known for years, and it is unclear if the credit union has been able to patch the security hole.

Pentagon Federal is a private company that services nearly 1 million active duty military personnel. It has $15 billion of assets.

Duty Calls

Seacoast Radiology Associates Inc. of Rochester, N.H., had its servers hacked Jan. 11, according to a Jan. 14 story in the online technology publication TheRegister.com. Hackers allegedly broke into the servers, which store medical account information for 230,000 patients, in order to use the capacity to host the playing of a popular online game named Call of Duty.

Seacoast notified its patients in November that the servers contained names, addresses, Social Security numbers and medical diagnoses, among other things. It also urged patients to monitor credit reports for signs of identity theft, although the article said there were no signs of misuse of the information. Criminals might use the compromised information to set up fraudulent bank accounts and credit card accounts.

A system administrator discovered the breach after noticing a dramatic loss of bandwidth, but it was unclear how long the servers had been hijacked before the breach was discovered.

Tablet Tampering

Two men were arrested Tuesday for allegedly hacking into AT&T Inc.'s servers, potentially making off with personal information and e-mail addresses for 120,000 Apple Inc. iPad users, according to a Jan. 18 story from The Wall Street Journal.

The two men taken into custody were identified as Andrew Auernheimer and Daniel Spitler.

"I hack, I ruin, I make piles of money. I make people afraid for their lives," wrote Auernheimer on his blog weev.livejournal.com, according to the news site CliffviewPilot.com in a Jan. 18 story. Auernheimer first bragged of the break-in June 9, 2010.

Auernheimer was arraigned in Fayetteville, Ark. Spitler was arraigned in Newark, N.J.

AT&T acknowledged the vulnerability, which stemmed from a flaw in its website, in June, when it said it had fixed the problem.

The Federal Bureau of Investigation began an inquiry in 2010 after AT&T revealed the hole. Federal authorities charged the duo with conspiracy to access a computer without authorization and fraud in connection with personal information. According to the complaint, the hackers created a script called "iPad 3G Account Slurper," which was designed to mimic the version of Apple's iPad that can connect to AT&T's network. This tricked AT&T servers into believing they were communicating with a real iPad.

The script then randomly produced unique identifiers for other iPads. Correct guesses resulted in e-mail addresses appearing on AT&T's website. At the time, the hackers forwarded the e-mail addresses to Gawker.com, which wrote about the break-in last year. Gawker was itself the victim of a hack attack and shutdown in December.

E-mail Hack

A 23-year-old California man pleaded guilty in Sacramento Superior Court Jan. 13 to seven charges of felony, including computer intrusion, impersonation and possession of child pornography, stemming from his break in to hundreds of e-mail accounts accessed via Facebook, the social media site run by Facebook Inc.

Over a nine-month period that ended in September 2010, George Samuel Bronk hijacked the accounts of women across 17 states and in England, according to MSNBC.com. In a case that could have significance for banks, which frequently use challenge questions based on personal information for added security, Bronk apparently searched Facebook pages of women who posted e-mail addresses and personal identifiers, such as favorite foods or colors or high school mascots. With that information, Bronk was able to change passwords and user IDs on his victims' e-mail accounts. He also searched their "sent items" folders for compromising photos and videos, which he used to embarrass and blackmail the victims.

In October, authorities confiscated Bronk's computer and found more than 170 files of explicit photographs stolen from hijacked e-mail accounts. Bronk, who had been held on $500,000 bail since October, faces six years in prison. He would also be required to register as a sex offender.

Prediction

As e-commerce continues to expand, particularly with the explosion of mobile devices, it will be more difficult for security firms to protect consumers, according to the Web security firm Threatmetrix of Los Altos, Calif.

Many security firms rely on cookies to identify clients, and increasingly consumers are using devices that don't rely on cookies, or they have grown more sophisticated about blocking cookies. The same host of new devices enabling mobile transactions such as online banking, can make it easier for scammers to hide their IP addresses, making it more difficult for online companies to trace the source of fraudulent transactions.